upload leptonlib

To: Debian LTS <debian-lts@lists.debian.org>
Subject: upload leptonlib
From: Abhijith PA <abhijith@disroot.org>
Date: Wed, 14 Feb 2018 14:56:24 +0530
Message-id: <[🔎] bc8204ac-f111-d069-5095-29dfb1becd63@disroot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello.

I prepared LTS security update for leptonlib. Please review and upload.
You can find debdiff along with the mail.
link:
https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc

I done following tests.

- - Installed new build in a wheezy machine
- - Tested against POC from
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
- - Ran all regression tests provided in prog/alltests_reg.c
- - Ran prog/comparetest.c as it is one of the program which uses `gplot`

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlqEAJ4ACgkQhj1N8u2c
KO8uBQ//WE7DHX6XPpvmASeAI0clLUBw2zzVn8xM6w2uAqCWKtXeS0wqsDgy4urj
JS9ggebmHC+aeY8EqM18Cla/TIFXnSCXCOT5hG4fK68aD2FnZ1TZwtSP5GtxYhVN
YD3D3FR9astbhLEReLytLxSwXCbGeaDNI7mSi5rnN5eoFdMVhG2ZaVBvzmcE5kSt
9BBKQqgLJ2MzkPQxi9JiwrL8au1WO3A3t8HtOZKf80UcBECiMOqkjmVEiW2/hA0n
bGDb8J5f/QC+6UYIiIkEb2o2CMuEmplOm6G43vm+XZjqWP6XpfFFnHHhKnHDeQrQ
Z9IRJ4RnFI2B5+l3vwC6WS6e/j+PsuE3sk1MBLlAGLAF69cspSOBxV4MvBQQFvCB
5YHW02Q/VKvejneSOsm/IIrZCau4JGC9uHCzSLRTa3tMg6HZd6CkI/B4l+IFg1Eo
y61hb0sVJT5vgA5eNxv5G+B8fqNQTHNc0kmsef1OyReOA8dEkG1Q2OCayFcW6iQW
JOUzHOP3R8pFiF8eLToxrY32KPsYh5S3KIgD4sNbjw5J23sEKY1Dn1uXgnLNL7BG
hpJoTdwProANQWBW2iY5cxYyTqP3PSk6fYWx5VPAWNDOg0PnMxO4hCed6mrg0hvH
XA1PeoxFEREvCyChxWDZL4Yg9ggB5Evba/qIwcTpNPC0Ma7KS9Q=
=fUrC
-----END PGP SIGNATURE-----

diff -Nru leptonlib-1.69/debian/changelog leptonlib-1.69/debian/changelog
--- leptonlib-1.69/debian/changelog	2012-07-19 21:39:52.000000000 +0000
+++ leptonlib-1.69/debian/changelog	2018-02-13 18:06:39.000000000 +0000
@@ -1,3 +1,11 @@
+leptonlib (1.69-3.1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2018-3836: gplotMakeOutput Command Injection Vulnerability
+    (closes: #889759)
+
+ -- Abhijith PA <abhijith@disroot.org>  Tue, 13 Feb 2018 23:36:39 +0530
+
 leptonlib (1.69-3.1) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru leptonlib-1.69/debian/patches/CVE-2018-3836.patch leptonlib-1.69/debian/patches/CVE-2018-3836.patch
--- leptonlib-1.69/debian/patches/CVE-2018-3836.patch	1970-01-01 00:00:00.000000000 +0000
+++ leptonlib-1.69/debian/patches/CVE-2018-3836.patch	2018-02-13 18:06:39.000000000 +0000
@@ -0,0 +1,125 @@
+Description: Fix CVE-2018-3836.patch
+ An exploitable command injection vulnerability exists in the gplotMakeOutput 
+ function of Leptonica. A specially crafted gplot rootname argument can cause a 
+ command injection resulting in arbitrary code execution. 
+ An attacker can provide a malicious path as input to an application that passes 
+ attacker data to this function to trigger this vulnerability. Patch backported from
+ upstream. 
+ 
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://build.opensuse.org/package/view_file/home:kbabioch:branches:openSUSE:Leap:42.3:Update/leptonica/CVE-2018-3836.patch
+Bug: https://github.com/DanBloomberg/leptonica/issues/303
+Bug-Debian: https://bugs.debian.org/889759
+Last-Update: 2018-02-13
+
+Index: leptonlib-1.69/src/gplot.c
+===================================================================
+--- leptonlib-1.69.orig/src/gplot.c
++++ leptonlib-1.69/src/gplot.c
+@@ -129,9 +129,10 @@ gplotCreate(const char  *rootname,
+             const char  *xlabel,
+             const char  *ylabel)
+ {
+-char   *newroot;
+-char    buf[L_BUF_SIZE];
+-GPLOT  *gplot;
++char    *newroot;
++char     buf[L_BUF_SIZE];
++l_int32  badchar;
++GPLOT   *gplot;
+ 
+     PROCNAME("gplotCreate");
+ 
+@@ -141,6 +142,9 @@ GPLOT  *gplot;
+         outformat != GPLOT_EPS && outformat != GPLOT_X11 &&
+         outformat != GPLOT_LATEX)
+         return (GPLOT *)ERROR_PTR("outformat invalid", procName, NULL);
++    stringCheckForChars(rootname, "`;&|><\"?*", &badchar);
++    if (badchar)  /* danger of command injection */
++        return (GPLOT *)ERROR_PTR("invalid rootname", procName, NULL);
+ 
+     if ((gplot = (GPLOT *)CALLOC(1, sizeof(GPLOT))) == NULL)
+         return (GPLOT *)ERROR_PTR("gplot not made", procName, NULL);
+@@ -360,18 +364,10 @@ l_int32  ignore;
+     gplotGenDataFiles(gplot);
+ 
+ #ifndef _WIN32
+-    if (gplot->outformat != GPLOT_X11)
+-        snprintf(buf, L_BUF_SIZE, "gnuplot %s &", gplot->cmdname);
+-    else
+-        snprintf(buf, L_BUF_SIZE,
+-                 "gnuplot -persist -geometry +10+10 %s &", gplot->cmdname);
++    snprintf(buf, L_BUF_SIZE, "gnuplot -persist %s", gplot->cmdname);
+ #else
+-   if (gplot->outformat != GPLOT_X11)
+-       snprintf(buf, L_BUF_SIZE, "wgnuplot %s", gplot->cmdname);
+-   else
+-       snprintf(buf, L_BUF_SIZE,
+-               "wgnuplot -persist %s", gplot->cmdname);
+-#endif  /* _WIN32 */
++    snprintf(buf, L_BUF_SIZE, "wgnuplot -persist %s", gplot->cmdname);
++#endif /* _WIN32 */
+     ignore = system(buf);
+     return 0;
+ }
+Index: leptonlib-1.69/src/utils.c
+===================================================================
+--- leptonlib-1.69.orig/src/utils.c
++++ leptonlib-1.69/src/utils.c
+@@ -50,6 +50,7 @@
+  *           l_int32    stringSplitOnToken()
+  *
+  *       Find and replace string and array procs
++ *           l_int32    stringCheckForChars()
+  *           char      *stringRemoveChars()
+  *           l_int32    stringFindSubstr()
+  *           char      *stringReplaceSubstr()
+@@ -1138,6 +1139,48 @@ char  *saveptr;
+  *                       Find and replace procs                       *
+  *--------------------------------------------------------------------*/
+ /*!
++ * \brief   stringCheckForChars()
++ *
++ * \param[in]    src      input string; can be of zero length
++ * \param[in]    chars    string of chars to be searched for in %src
++ * \param[out]   pfound   1 if any characters are found; 0 otherwise
++ * \return  0 if OK, 1 on error
++ *
++ * <pre>
++ * Notes:
++ *      (1) This can be used to sanitize an operation by checking for
++ *          special characters that don't belong in a string.
++ * </pre>
++ */
++l_int32
++stringCheckForChars(const char  *src,
++                    const char  *chars,
++                    l_int32     *pfound)
++{
++char     ch;
++l_int32  i, n;
++
++    PROCNAME("stringCheckForChars");
++
++    if (!pfound)
++        return ERROR_INT("&found not defined", procName, 1);
++    *pfound = FALSE;
++    if (!src || !chars)
++        return ERROR_INT("src and chars not both defined", procName, 1);
++
++    n = strlen(src);
++    for (i = 0; i < n; i++) {
++        ch = src[i];
++        if (strchr(chars, ch)) {
++            *pfound = TRUE;
++            break;
++        }
++    }
++    return 0;
++}
++
++
++/*!
+  *  stringRemoveChars()
+  *
+  *      Input:  src (input string; can be of zero length)
diff -Nru leptonlib-1.69/debian/patches/series leptonlib-1.69/debian/patches/series
--- leptonlib-1.69/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ leptonlib-1.69/debian/patches/series	2018-02-13 18:06:39.000000000 +0000
@@ -0,0 +1 @@
+CVE-2018-3836.patch

Attachment: leptonlib_deb7u1.debdiff.sig
Description: PGP signature

Reply to:

Follow-Ups:
- Re: upload leptonlib
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: RFC: CVE-2018-6799/graphicsmagick
Next by Date: Re: upload leptonlib
Previous by thread: Re: RFC: CVE-2018-6799/graphicsmagick
Next by thread: Re: upload leptonlib
Index(es):
- Date
- Thread